Page 1 of 2

SSL Certificate

PostPosted: Sun Feb 10, 2013 6:11 am
by marc
I couldn't found some documentation about the webserver. I need to install some certificates. Can you help me to find some documentation or tell me how I have to do?

Thank you very much, marc

Re: SSL Certificate

PostPosted: Tue Feb 12, 2013 3:33 am
by James.W@AST
Hi Marc,

Here is the instruction about how to genertate a self-signed certificate for ASUSTOR NAS for your reference.
================================================
You can use the following procedure to generate a self-signed certification on a Linux system, then import it to NAS.

1. To generate a private key for CA
#openssl genrsa -des3 -out ./myrootca.key 2048

2. Use the CA private key to generate a sign request for CA
#openssl req -new -key ./myrootca.key -out ./myrootca.req

3. To sign the CA request
#openssl x509 -req -days 7305 -sha1 \ -extfile /etc/ssl/openssl.cnf -extensions v3_ca \ -signkey ./myrootca.key \ -in ./myrootca.req -out ./myrootca.crt

4. To generate a private key for host
#openssl genrsa -out ./myhost.key 2048

5. Use the host private key to generate a sign request for host
#openssl req -new -key ./myhost.key -out ./myhost.req

6. To sign the host request
#openssl x509 -req -days 3650 -sha1 \ -extfile /etc/ssl/openssl.cnf -extensions v3_req \ -CA ./myrootca.crt -CAkey ./myrootca.key \ -CAserial /etc/ssl/myrootca.srl -CAcreateserial \ -in ./myhost.req -out ./myhost.crt

7. To append host certificate with host private key together
#cat myhost.crt >> myhost.key

8. Import the myhost.key into ASUSTOR NAS at [Settings] > [General] -> [Certificate Manager]

Re: SSL Certificate

PostPosted: Fri May 17, 2013 9:33 pm
by blackstar
Hi,
What about a real certificate.
Say I have a domain that I want to secure with ssl encryption.
Is this still valid :

"7. To append host certificate with host private key together
#cat myhost.crt >> myhost.key

8. Import the myhost.key into ASUSTOR NAS at [Settings] > [General] -> [Certificate Manager]"

Is there no need to import a pem file (Intermediate certificate) ?

Cheers.

Re: SSL Certificate

PostPosted: Mon May 20, 2013 9:44 am
by James.W@AST
If you have a real certificate then you don't need these. You just need to convert it to a pem certificate, since the system only supports X.509PEM certificate and private key.

A .pem(Privacy Enhanced Mail) certificate is a Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" as you can see in the sample certificate from our web UI. You can find many instructions about how to convert a .cer certificate to a .pem certificate.

Here is a sample command with openssl which should do the trick: # openssl x509 -inform pem -in certificate.cer -outform der -out certificate.pem

Re: SSL Certificate

PostPosted: Mon May 20, 2013 5:25 pm
by blackstar
Hi,
from what I was able to read and find out via some friends info, the generated certificate is already in a correct status (crt file with the correct format : enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----") along with a key file (private).

Based on this, will the last comand be enough ( cat myhost.crt >> myhost.key) and then import into cerficcate manager ?

Also, can we achieve two way certificate authentication (see http://linuxconfig.org/apache-web-serve ... entication) ? If so, does the provided website give enough information or is there additionnal/alternate procedures to follow?

Cheers.

Re: SSL Certificate

PostPosted: Mon May 20, 2013 7:22 pm
by James.W@AST
blackstar wrote:Based on this, will the last comand be enough ( cat myhost.crt >> myhost.key) and then import into cerficcate manager ?

hmm I think this should work.
Also, can we achieve two way certificate authentication (see http://linuxconfig.org/apache-web-serve ... entication) ? If so, does the provided website give enough information or is there additionnal/alternate procedures to follow?

I have never done this before, but I think this is workable. As far as I know, if you edit the configuration file from CLI directly, restart apache won't restore it. It will only be restored when you use the Web GUI to modify it...

Re: SSL Certificate

PostPosted: Mon May 20, 2013 7:54 pm
by blackstar
Unfortunately, there's no way to configure anything in WebGUI aside from protocol, port, virtual host destination path (in the nas folder tree) and desired name of the virtual hosts...

Is there really no way to make it so I can edit the virtual host until a new release allowing more configuration options comes out... ?

Cheers.

Re: SSL Certificate

PostPosted: Mon Jan 13, 2014 4:01 pm
by Kapitein Haak
A shameless bump of this thread. I have generated a certificate for my registered domain with a trusted CA. I have then tried to import the certificate through the GUI, but was unsuccesful. Because I wanted to see if the problem was with the certificate itself, I dug up an manual to install certificates with lighttp. Modified the config files on the NAS, restarted the lighttp and there was the padlock and the certificate is just fine. So... has anyone had some succes in importing signed certificated through the GUI? I would prefer to import certificates through the GUI; even though my modification survives a reboot it'just doesn't feel right...

Best regards,
Kapitein Haak.

Re: SSL Certificate

PostPosted: Wed Jan 15, 2014 4:05 pm
by Kapitein Haak
The issue was found by Asustor support and will be fixed in the next firmware. The certificate requires an additional NEWLINE at the end, as of the next release an Asustor NAS should also accept certificates without the additional NEWLINE.

Re: SSL Certificate

PostPosted: Thu Jan 01, 2015 4:50 pm
by dandy010
Kapitein Haak wrote:A shameless bump of this thread. I have generated a certificate for my registered domain with a trusted CA. I have then tried to import the certificate through the GUI, but was unsuccesful. Because I wanted to see if the problem was with the certificate itself, I dug up an manual to install certificates with lighttp. Modified the config files on the NAS, restarted the lighttp and there was the padlock and the certificate is just fine. So... has anyone had some succes in importing signed certificated through the GUI? I would prefer to import certificates through the GUI; even though my modification survives a reboot it'just doesn't feel right...

Best regards,
Kapitein Haak.


Can I ask you about how you are intermediate certificate to the server installed?
Thank you.